Which tier focuses on the mission/business processes in NIST SP 800-39?

The correct answer is based on the structure of the NIST SP 800-39 framework, which delineates different tiers of risk management related to organizational operations. Tier 2 specifically emphasizes the integration of risk management practices with the organization’s mission and business processes. This tier is characterized by active collaboration among stakeholders to understand the business context and the specific risks inherent in their operations.

Tier 2 aligns risk management with strategic decision-making and operational goals, ensuring that risk considerations are inherently woven into the processes that drive business objectives. It involves assessing risk in a way that is meaningful to the organization's mission, thereby enabling informed decision-making that supports both security and business functions.

In contrast, Tier 1 is focused more on the organizational governance level, Tier 3 delves into the implementation of risk management practices at the information system level, and Tier 4 involves the continuous monitoring and adaptive response to risk. Each tier has distinct characteristics, but it is Tier 2 that actively connects risk management with the organization’s core mission and business processes.